Paranoid Technology All things cybersecurity

24Sep/14Off

Cyber Information Sharing Act



Cybersecurity Information Sharing Act (CISA) - A.K.A Cybersecurity Information Sharing and Protection Act (CISPA) - is the latest excitement after PIPA and SOPA. Once dropped already CISA is back in discussion after some privacy concerns were addressed thanks to Senators Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.).  There are a healthy amount of reasons to be skeptical about CISA given government's recent NSA overreach; this “voluntary” information sharing between private companies and the government has some broad language that leaves room for unwarranted datamining taps and hack-back activities for domestic cybersecurity. In summary the bill proposes the following (read between the lines 😉 ):

  • Requires the director of national intelligence to increase the sharing of classified and unclassified cyber threat information to the private sector, consistent with the protection of sources and methods.
  • Authorizes individuals and companies to monitor their own computer networks and those of their consenting customers for cyber threats and to implement countermeasures to block those threats.
  • Authorizes the voluntary sharing of cyber threat information by individuals and companies with each other and with the government. Such sharing is for cyber security purposes only and companies must take appropriate measures to protect against the sharing of personally identifying information.
  • Puts in place liability protections for individuals and companies that appropriately monitor their networks or share cyber information.
  • Requires federal government procedures for the receipt, sharing and use of cyber information. This includes the establishment of a “portal” managed by the Department of Homeland Security through which electronic cyber information will enter the government and be shared with other appropriate federal entities.
  • Limits the government’s ability to use information it receives to cyber-related purposes to ensure it does not engage in inappropriate investigations or regulation.
  • Requires reports on the implementation of these authorities by the heads of federal departments, the Privacy and Civil Liberties Oversight Board and relevant inspectors general.

The way CISPA was written earlier in 2014, it would have given US companies the legal protection to share cyberattack incidents with the government, which could then help companies better defend sensitive information, such as the design for sensitive military technology and US sensitive infrastructure. The way the law stands now, cyber attack information is only supposed to be shared in emergencies, otherwise it can be a violation of laws like the Electronic Communications Privacy Act (ECPA) and the Wiretap Act. Tech companies, including Google and Facebook, have quietly supported CISPA in the past—possibly because, according to Snowden, they were already being forced to share user information with the US government, anyway, and CISPA would protect them from lawsuits.

Bill's broad language is an issue with privacy advocates and many Senate Democrats; which set no limits on what the government could do with the personal information it obtained as long as it fell under the national security umbrella.

Even though sponsors of the bill indicate that the information sharing will be very limited and only to on cyber security threats not daily communications of Americans, it will be curious how the bill makes its way to a Senate Floor debate...

See CISA Discussion Draft on senate.gov

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.

Stop SOPA